X509: Remove MBEDTLS_SSL_PREVERIFY_CB
Add a callback typedef
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 845a299..be80332 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -600,11 +600,6 @@
#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
#endif
-#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \
- !defined(MBEDTLS_X509_CRT_PARSE_C)
-#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites"
-#endif
-
#if defined(MBEDTLS_THREADING_PTHREAD)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index dc3ba9d..b5905ef 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1437,15 +1437,6 @@
//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
/**
- * \def MBEDTLS_SSL_PREVERIFY_CB
- *
- * Enable support for a pre-verification callback for received certificates.
- *
- * Uncomment this to enable support for the preverification callback
- */
-//#define MBEDTLS_SSL_PREVERIFY_CB
-
-/**
* \def MBEDTLS_THREADING_ALT
*
* Provide your own alternate threading implementation.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 4d0d6a1..fa5ae2f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -535,6 +535,16 @@
*/
typedef int mbedtls_ssl_get_timer_t( void * ctx );
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief Callback type: receive notification before X.509 chain
+ * building
+ *
+ * \param ctx Context pointer
+ * \param crt X.509 certificate pointer
+ */
+typedef void mbedtls_ssl_pre_verify_t( void *ctx, mbedtls_x509_crt *crt );
+#endif
/* Defined below */
typedef struct mbedtls_ssl_session mbedtls_ssl_session;
@@ -624,17 +634,15 @@
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ /** Callback to receive notification before X.509 chain building */
+ mbedtls_ssl_pre_verify_t *f_pre_vrfy;
+ void *p_pre_vrfy; /*!< context for pre-verify calllback */
+
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify calllback */
#endif
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
- /** Callback to receive notification before X.509 chain building */
- void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
- void *p_pre_vrfy; /*!< context for pre-verify calllback */
-#endif
-
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
/** Callback to retrieve PSK key from identity */
int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
@@ -1082,9 +1090,7 @@
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
/**
* \brief Set the pre-verification callback (Optional).
*
@@ -1096,10 +1102,10 @@
* \param f_pre_vrfy pre-verification function
* \param p_pre_vrfy pre-verification parameter
*/
-void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
- void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
- void *p_pre_vrfy);
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
+void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf,
+ mbedtls_ssl_pre_verify_t *f_pre_vrfy,
+ void *p_pre_vrfy);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
/**
* \brief Set the random number generator callback
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 55d145a..c87b370 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4625,16 +4625,15 @@
ca_crl = ssl->conf->ca_crl;
}
- /*
- * Main check: verify certificate
- */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
if( ssl->conf->f_pre_vrfy != NULL )
{
ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
ssl->session_negotiate->peer_cert );
}
-#endif
+
+ /*
+ * Main check: verify certificate
+ */
ret = mbedtls_x509_crt_verify_with_profile(
ssl->session_negotiate->peer_cert,
ca_chain, ca_crl,
@@ -5884,17 +5883,15 @@
conf->f_vrfy = f_vrfy;
conf->p_vrfy = p_vrfy;
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
-void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
- void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
- void *p_pre_vrfy)
+void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf,
+ mbedtls_ssl_pre_verify_t *f_pre_vrfy,
+ void *p_pre_vrfy)
{
conf->f_pre_vrfy = f_pre_vrfy;
conf->p_pre_vrfy = p_pre_vrfy;
}
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
int (*f_rng)(void *, unsigned char *, size_t),
diff --git a/library/version_features.c b/library/version_features.c
index ae7bc8f..da47e3d 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -471,9 +471,6 @@
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
"MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
- "MBEDTLS_SSL_PREVERIFY_CB",
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
#if defined(MBEDTLS_THREADING_ALT)
"MBEDTLS_THREADING_ALT",
#endif /* MBEDTLS_THREADING_ALT */
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index fcfaf45..c858467 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -82,7 +82,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_PREVERIFY_CB:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */
void ssl_preverifycb( char *crt_file )
{
mbedtls_ssl_context ssl;